37 Kerberos-Key-distribution-Center

Question

Hello there,

I have several DCs in my network (2012 Standard , 2016 Standard). One of my DCs keeps repeating the following error :
Event ID 37
Source : Kerberos-Key-Distribution-Center

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Ticket PAC constructed by: servername
Client: domain\username
Ticket for: krbtgt

I already followed the instructions on this link : https://go.microsoft.com/fwlink/?linkid=2173051 and setup every DC with the enforced registry key :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc

I know this will be deployed by different phases.

However I still have a few questions :

Is it normal to keep getting the error after we setup the enforced key on every DC ?
Is there a way to make the error go away ?
Is manually entering the enforcement key part of the process ?

Thanks in Advance.

Accepted Answer

Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB

Then it looks like you may get one warning for every user.

https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.

the PacRequestorEnforcement registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer

I have fully patched all DC's and still receiving Event 37, Kerberos-Key-Distribution-Center repeatedly on accounts. I read that you should get one per user, I am getting multiple per user, per day.

I am not sure what else to do at this point. I am having issues with RDP, and other kerberos related authentication. The only way around the RDP auth issue is to use the IP address, or sometimes to reboot DC's.

App servers will fail SSO using Kerberos, which requires a reboot of the DC that the user is authenticating from.

Answer

I am experiencing the same exact problem as Jdharvey. Hoping someone would post a solutions. My last resort is to rebuild the DC. Not even sure if this will resolve this issue.

Answer

Hi,

Did you find a solution at your problem i Have exactly same issue after first install of 2019DC on 2008R2 forest.

So i don't Know if i have to decommission all 2008R2 DC and it will be find or not.

Or do i have to install all patches included in the article manually because i don't have extended support so no more updates.

I'm a little bit confused about which patch i have to install

On 2019 they are already up to date do i need to do something ?

Thanks in advanced

Answer

NOT the answer but feeling like I'm getting closer to a solutions. As mentioned on my earlier post, I am experiencing the same issue (Event ID 37) as the post above and also prevents users from being able to RDP. This is not the solution, rather a workaround which is better that having to constantly reboot the DC. I narrowed it down and found that by temporary disabling the kdc service or disabling the NIC, the affected users were successfully able RDP. I know it's not much but hoping this information helps someone might use this information to find a permanent solution.

My setup - 3 Windows 2019 Domain servers, schema 2016 and only one DC is generating Event ID 37. This culprit DC is also the only one fully patched. I'm hesitant on patching the rest as I am worried this my trigger more problems afterwards.